Login
Newsletter
Werbung

Sicherheit: Ausführen beliebiger Kommandos in SUSE Manager Server 3.2
Aktuelle Meldungen Distributionen
Name: Ausführen beliebiger Kommandos in SUSE Manager Server 3.2
ID: SUSE-SU-2020:2292-1
Distribution: SUSE
Plattformen: SUSE Manager Server 3.2
Datum: Fr, 21. August 2020, 23:53
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Applikationen: SUSE Manager Server 3.2

Originalnachricht


SUSE Security Update: Security update for SUSE Manager Server 3.2
______________________________________________________________________________

Announcement ID: SUSE-SU-2020:2292-1
Rating: moderate
References: #1141663 #1150657 #1153578 #1155794 #1159184
#1159202 #1162391 #1167556 #1167871 #1168227
#1169109 #1169865 #1170331 #1172831 #1173073
#1173946 #1174167 #1174700 #1174768 #1174965

Cross-References: CVE-2020-11022
Affected Products:
SUSE Manager Server 3.2
______________________________________________________________________________

An update that solves one vulnerability and has 19 fixes is
now available.

Description:


This update fixes the following issues:

bind-formula:

- Remove wrong default for bind options preventing correct upload
of bind options using XMLRPC (bsc#1150657)

branch-network-formula:

- Make branch formula to assign home directory to ftp and tftp users
(bsc#1162391)

py26-compat-salt:

- Do not make py26-compat-salt to require python-tornado on SLE15 (all SPs)
- Backport saltutil state module to 2016.11 codebase (bsc#1167556)
- Add new custom SUSE capability for saltutil state module

python-susemanager-retail:

- Allow bind options to be stored to and edited by retail_yaml
(bsc#1150657)

release-notes-susemanager:

- Update to 3.2.15
- Bugs mentioned bsc#1150657, bsc#1162391, bsc#1167556, bsc#1174965,
bsc#1170331, bsc#1159184, bsc#1168227, bsc#1172831, bsc#1173073,
bsc#1167871, bsc#1169109, bsc#1159202, bsc#1168227, bsc#1153578,
bsc#1141663, bsc#1174768, bsc#1173946, bsc#1174167, bsc#1169865,
bsc#1155794

spacewalk-backend:

- Fix issues importing RPM packages with long RPM headers (bsc#1174965)
- Do not make mgr-inter-sync to crash if there are non-ASCII characters on
an exception message (bsc#1170331)
- Validate cached package entries on ISS slave (bsc#1159184)

spacewalk-client-tools:

- Do not crash 'mgr-update-status' because 'long' type is
not defined in
Python 3

spacewalk-java:

- Skip upgrades when the target has not the same amount of products as the
installed set (bsc#1168227)
- Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)
- Prevent deadlock on suseusernotification (bsc#1173073)
- Avoid multiple base channels when onboarding minions (bsc#1167871)
- Hide message about changed Update Tag change (bsc#1169109)
- Refresh pillar after channel change
- Use 'changes' field if 'pchanges' field doesn't exist
(bsc#1159202)
- Skip migration targets when they do not have the same amount of products
as the installed set (bsc#1168227)

spacewalk-utils:

- Add FQDN resolver for spacewalk-manage-channel-lifecycle (bsc#1153578)
- Fixes SSL hostname matching (bsc#1141663)

spacewalk-web:

- Fix saving of formulas (bsc#1174768)
- Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)

susemanager:

- Use python2-uyuni-common-libs and python3-uyuni-common-libs for
bootstrap repositories (bsc#1173946)
- Add 'python-singledispatch' to SLE12 (all SPs) and RES7 bootstrap
repos.
(bsc#1174700)
- Add SLE 15 LTSS Product ID to SLE15 bootstrap repositories, as it is
required to get python3-M2crypto (bsc#1174167)
- Require python3-tornado only for SLE15/SLE15SP1 (bsc#1169865)
- Use python3-M2Crypto for all SLE15 versions and openSUSE Leap 15.1
bootstrap repositories
- Add dbus-1-glib to SLE12SP5 x86_64 to allow onboarding of AWS Cloud
SLE12SP5 clients (they do not have it by defaul anymore)

susemanager-frontend-libs:

- Upgrade jquery to 3.5.1 - CVE-2020-11022 (bsc#1172831)

susemanager-schema:

- Prevent a deadlock error involving delete_server and update_needed_cache
(bsc#1173073)

susemanager-sls:

- Avoid traceback error due lazy loading which_bin (bsc#1155794)
- Using new module path for which_bin to get rid of DeprecationWarning

How to apply this update: 1. Log in as root user to the SUSE Manager
server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the
patch using either zypper patch or YaST Online Update. 4. Upgrade the
database schema: spacewalk-schema-upgrade 5. Start the Spacewalk service:
spacewalk-service start


Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- SUSE Manager Server 3.2:

zypper in -t patch SUSE-SUSE-Manager-Server-3.2-2020-2292=1



Package List:

- SUSE Manager Server 3.2 (ppc64le s390x x86_64):

release-notes-susemanager-3.2.15-6.61.1
susemanager-3.2.24-3.43.1
susemanager-tools-3.2.24-3.43.1

- SUSE Manager Server 3.2 (noarch):

bind-formula-0.1.1584363976.36bce64-3.6.1
branch-network-formula-0.1.1584363976.36bce64-3.9.1
py26-compat-salt-2016.11.10-6.38.1
python-susemanager-retail-1.0.1584363976.36bce64-2.12.1
python2-spacewalk-client-tools-2.8.22.8-3.15.1
spacewalk-backend-2.8.57.23-3.51.1
spacewalk-backend-app-2.8.57.23-3.51.1
spacewalk-backend-applet-2.8.57.23-3.51.1
spacewalk-backend-config-files-2.8.57.23-3.51.1
spacewalk-backend-config-files-common-2.8.57.23-3.51.1
spacewalk-backend-config-files-tool-2.8.57.23-3.51.1
spacewalk-backend-iss-2.8.57.23-3.51.1
spacewalk-backend-iss-export-2.8.57.23-3.51.1
spacewalk-backend-libs-2.8.57.23-3.51.1
spacewalk-backend-package-push-server-2.8.57.23-3.51.1
spacewalk-backend-server-2.8.57.23-3.51.1
spacewalk-backend-sql-2.8.57.23-3.51.1
spacewalk-backend-sql-oracle-2.8.57.23-3.51.1
spacewalk-backend-sql-postgresql-2.8.57.23-3.51.1
spacewalk-backend-tools-2.8.57.23-3.51.1
spacewalk-backend-xml-export-libs-2.8.57.23-3.51.1
spacewalk-backend-xmlrpc-2.8.57.23-3.51.1
spacewalk-base-2.8.7.24-3.48.1
spacewalk-base-minimal-2.8.7.24-3.48.1
spacewalk-base-minimal-config-2.8.7.24-3.48.1
spacewalk-client-tools-2.8.22.8-3.15.1
spacewalk-html-2.8.7.24-3.48.1
spacewalk-java-2.8.78.29-3.50.1
spacewalk-java-config-2.8.78.29-3.50.1
spacewalk-java-lib-2.8.78.29-3.50.1
spacewalk-java-oracle-2.8.78.29-3.50.1
spacewalk-java-postgresql-2.8.78.29-3.50.1
spacewalk-taskomatic-2.8.78.29-3.50.1
spacewalk-utils-2.8.18.7-3.15.1
susemanager-frontend-libs-3.2.5-3.13.1
susemanager-retail-tools-1.0.1584363976.36bce64-2.12.1
susemanager-schema-3.2.24-3.40.1
susemanager-sls-3.2.31-3.47.1
susemanager-web-libs-2.8.7.24-3.48.1


References:

https://www.suse.com/security/cve/CVE-2020-11022.html
https://bugzilla.suse.com/1141663
https://bugzilla.suse.com/1150657
https://bugzilla.suse.com/1153578
https://bugzilla.suse.com/1155794
https://bugzilla.suse.com/1159184
https://bugzilla.suse.com/1159202
https://bugzilla.suse.com/1162391
https://bugzilla.suse.com/1167556
https://bugzilla.suse.com/1167871
https://bugzilla.suse.com/1168227
https://bugzilla.suse.com/1169109
https://bugzilla.suse.com/1169865
https://bugzilla.suse.com/1170331
https://bugzilla.suse.com/1172831
https://bugzilla.suse.com/1173073
https://bugzilla.suse.com/1173946
https://bugzilla.suse.com/1174167
https://bugzilla.suse.com/1174700
https://bugzilla.suse.com/1174768
https://bugzilla.suse.com/1174965

_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung